Hi Joerg,
> My concern is not MD5, its SHA-1. I don't see that we can get rid of
> SHA-1 in certificates in the next 5 years:
> * None of the alternatives is widely implemented today.
> * For controlled environments like in-house applications you might be
> able to switch earlier (0-2 years).
>
[EMAIL PROTECTED]
> Sent: vrijdag 11 maart 2005 11:52
> To: Olle Mulmo
> Cc: Weger, B.M.M. de; cryptography@metzdowd.com
> Subject: Re: Colliding X.509 Certificates
>
> Olle Mulmo wrote:
> > Seems to me that a CA can nullify this attack by choosing a serial
> number or
Olle Mulmo wrote:
> Seems to me that a CA can nullify this attack by choosing a serial
number or RDN component (after all, a CA should vet the DN and not
simply sign what's in the PKCS#10 request), such that the public key
does not end up at an "appropriate" DER-encoded offset in the
> certifica
Seems to me that a CA can nullify this attack by choosing a serial
number or RDN component (after all, a CA should vet the DN and not
simply sign what's in the PKCS#10 request), such that the public key
does not end up at an "appropriate" DER-encoded offset in the
certificate. Or am I completel
Benne,
> One could e.g. construct the to-be-signed parts of the certificates,
> and get the one certificate signed by a CA. Then a valid signature for
> the other certificate is obtained, while the CA has not seen proof of
> possession of the private key of this second certificate.
>From the pape
Hi all,
We announce the construction of two different valid X.509 certificates
that have identical signatures. This is based on MD5 collisions.
One could e.g. construct the to-be-signed parts of the certificates,
and get the one certificate signed by a CA. Then a valid signature for
the other ce